arp not found

Reply
L2 Linker

arp not found

Yesterday I attempted to move our Internet connection from a copper interface on ethernet1/1 to fiber optic on ethernet 1/13 on a Palo Alto 3020. 

 

I ensured both interfaces were members of the  same security zone and modified the Default route of default-vr to use ethernet 1/13 instead of 1/1.

 

While I and the NOC technician confirmed the fiber port was configured and up, I could not ping out to the Internet. 

 

During that time ran a show interfaces ethernet1/13 and found 13 instances of "arp not found" under the Logical interface counters read from CPU. 

 

It seems that maybe I needed to clear the arp table? I say so because I believe the firewall was trying  to reach the MAC of our next hop ( our fiber switch ) through ethernet1/1 instead of ethernet1/13.

 

Any advice would be greatly appreciated!


Accepted Solutions
L7 Applicator

was the next-hop IP identical for the fiber as what it was on copper ?

 

you could try clearing the arp cache with  

> clear arp ethernet1/1 

to verify if the issue's related to arp, you can check the global counters for more detailed information:

> show counter global filter delta yes | match arp

 

 

 

Tom Piens - PANgurus.com
Like my answer? check out my book! amazon.com/dp/1789956374

View solution in original post


All Replies
L7 Applicator

was the next-hop IP identical for the fiber as what it was on copper ?

 

you could try clearing the arp cache with  

> clear arp ethernet1/1 

to verify if the issue's related to arp, you can check the global counters for more detailed information:

> show counter global filter delta yes | match arp

 

 

 

Tom Piens - PANgurus.com
Like my answer? check out my book! amazon.com/dp/1789956374

View solution in original post

L4 Transporter

Have you changed the zones? like ethernet 1/1 zone name and ethernet 1/13 zone?

If same zone you are using, no issue.

otherwie security rule should be created

PCNSE-7, ACE-6,ACE 7 , CCNP, CCNA,CCIE(theory) , RHCE
Firewalldog dot com
L2 Linker

Thanks for the reply @Roby_Sreejith. I confirmed before the switch over that the new fiber port ethernet1/13 had been assigned to the same seucurity zone, L3-Untrusted, as ethernet1/1 had been assigned to.

L2 Linker

Thanks @reaper.  We have a Cisco 3400 fiber switch that  is our next hop from the 3020. Within the static-route tab of the default-vr I did not change the next hop.

 

Since the fiber switch remains as our next hop I don't believe anything is out of place with regard to  next hop configuration.

 

Appreciate the suggestions about clearing arp cache and checking arp stats!

L2 Linker

This was the state of our fiber port yesterday before I abandoned ship and moved back over to copper on eth1/1

 

 

bob@pafw> show interface ethernet1/13
--------------------------------------------------------------------------------
Name: ethernet1/13, ID: 28
Link status:
Runtime link speed/duplex/state: 1000/full/up
Configured link speed/duplex/state: 1000/auto/auto
MAC address:
Port MAC address d4:f4:be:ab:cd:ef
Operation mode: layer3
Untagged sub-interface support: no
--------------------------------------------------------------------------------
Name: ethernet1/13, ID: 28
Operation mode: layer3
Virtual router default-vr
Interface MTU 1500
Interface IP address: 17.22.113.34/28
17.22.113.37/32
Interface management profile: N/A
Service configured: IKE
Zone: L3-Untrusted, virtual system: vsys1
Adjust TCP MSS: no
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Physical port counters read from MAC:
--------------------------------------------------------------------------------
rx-broadcast 0
rx-bytes 0
rx-multicast 0
rx-unicast 0
tx-broadcast 8
tx-bytes 512
tx-multicast 0
tx-unicast 0
--------------------------------------------------------------------------------
Hardware interface counters read from CPU:
--------------------------------------------------------------------------------
bytes received 1614
bytes transmitted 336
packets received 13
packets transmitted 8
receive incoming errors 0
receive discarded 0
receive errors 0
packets dropped 0
--------------------------------------------------------------------------------
Logical interface counters read from CPU:
--------------------------------------------------------------------------------
bytes received 1614
bytes transmitted 336
packets received 13
packets transmitted 8
receive errors 0
packets dropped 0
packets dropped by flow state check 0
forwarding errors 0
no route 0
arp not found 13
neighbor not found 0
neighbor info pending 0
mac not found 0
packets routed to different zone 0
land attacks 0
ping-of-death attacks 0
teardrop attacks 0
ip spoof attacks 0
mac spoof attacks 0
ICMP fragment 0
layer2 encapsulated packets 0
layer2 decapsulated packets 0
--------------------------------------------------------------------------------

bob@pafw>

 

 

L6 Presenter

Hi Andrew.

 

 So both ports are in the same subnet? Any logs from the Cisco switch? ARP table 

L2 Linker

Hey @TranceforLife,

 

Our ISP has assigned us a block of /28 IP addresses. In my description I was trying to emphasize that I copied/mirrored the same settings on eth1/13 from eth1/1. As a result both interfaces have the same addresses assigned, just not at the same time.

 

In other words,  before pulling the copper line and installing the fiber I did the following to produce a valid configuration that would commit. After the following steps I pull copper and plug in optical.

1) Assign eth1/13 to same Security Zone as eth1/1 - that is L3-Untrusted.

2) Remove IP addresses AAA.BBB.CCC.34/28  &  AAA.BBB.CCC.37 and assign to eth1/13

3) Modify default-vr to include int1/13 and assign as interface to be used for the Default Route.

4) Move IKE Gatway interface assignment from eth1/1 to eth1/13

 

I do not own, manage, or have console access to the Cisco switch but could inquire with the NOC for any specific statistics if you have any suggestions.

 

 

Much appreciated.

L6 Presenter

Hi Andrew,

 

Try to run PCAP on the 1/13 interface to see for the ARP packets. Configure the filter for this interface and capture Receive and Transmit packets only.  KB article below:

 

https://live.paloaltonetworks.com/t5/Learning-Articles/How-to-Run-a-Packet-Capture/ta-p/62390

 

Try GUI option, it is easier 

 

Cheers

L4 Transporter

Have you verified the NAT policy?

Just make sure you have migrated everything belongs to e1/1 to e1/13 in NAT

PCNSE-7, ACE-6,ACE 7 , CCNP, CCNA,CCIE(theory) , RHCE
Firewalldog dot com
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!